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Script started on Sat Aug 9 15:42:00 2003 
[root@focalhost in terrogator]# ./interrogator 

Where would you like the results stored? [/tmp/interrogator/] 
Check for hidden processes? [Y] 
Check for hidden TCP port listeners? [Y] 

Check for system call patching? [Y] ^ 200 

Check for hidden kernel modules? [Y] 

Check for hidden files? (may take > 15 minutes) [N] Y 
Running the interrogator— this may take a minute 
Results are located at /tmp/interrogator/summary 
View results now? [Y] 




-[ SUMMARY ]— 



NO hidden modules were found. 

NO system call table modifications were found. 

NO hidden processes were found. 

WARNING: File size is 60133 (should be 58885): /var/log/sa/sa09 

WARNING: File size is 1010871 (should be 1010003) : /var/log/cron 

WARNING: File size is 597700 (should be 597264): /var/log/maillog 

NO hidden files were found. 

NO hidden TCP port listeners were found. 

[rootOlocalhost interrogator)^ exit 

Script done on Sat Aug 9 16:01:52 2003 
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(rootOlocalhost interrogator]^ ./interrogator 

Where would you like the results stored? [/tmp/interrogator/] 
Check for hidden processes? [Y] 
Check for hidden TCP port listeners? [Y] 
Check for system call patching? [Y] 
Check for hidden kernel modules? [Y] 

Check for hidden files? (may take > 15 minutes) [N] Y 
Running the interrogator— this may take a minute 
Results are located at /tmp/interrogator/summary 
View results now? [Y] 

[ SUMMARY ] 

NO hidden modules were found. 
NO system call table modifications were found 

WARNING: process id 13745 hidden or just exited (tb) 
Launch Path: /root/code/in terrogator/de.rojansans/tb 
FOUND 1 Hidden process listing 

HIDDEN file found: /tmp/hideme 
WARNING: File size is 62629 (should be 61381): /var/log/sa/sa09 
WARNING:. File size is 1013693 (should be 1012816): /var/log/cron 
WARMING: File size is 599450 (should be 599012): /var/log/maillog 

HIDDEN TCP Port Listener found: port 2222 
(root@tocalhost interrogator]^ exit 
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[rootOI ocalhost interrogator]^ ./interrogator 

Where would you like the results stored? [/tmp /interrogator/] 

Check for hidden processes? [Y] 

Check for hidden TCP port listeners? [Y] 

Check for system coll patching? [Y] 

Check for hidden kernel modules? [Y] 

Check for hidden files? (may take-> 15 minutes) [N) Y 
Running the interrogator. . .tthfs may take a minute 
Results are tocoted ot /tmp/interrogator/summory 
View results now? [Y] 



[ SUMMARY ] 

WARNING suspect module found: f8o0f000 8000 bytes (adore) 
Image stored at /tmp /in terrogo tor/adore. o 
FOUND 1 HIDDEN module loaded 

WARNING: Deviations found In the sys_caM_table 
syscall[2] 
syscall[41 
syscall[5] 
syscoll[6] 
syscall[18] 
sysca1l(37] 
syscoll[39] 
syscoll[84] 
sysca1l[106 
3yscall[107; 
syscall[120 
syscall[l41 
syscall[l95 
sv3collFl96 
syscall[220] 
Suspect mod 

FOUND 15 Modified syscall table functions 
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WARNING: Found process id 836 removed from the task_queue. 
Launch Path: /root/code/lnterrogotor/demo/trojans/test 
WARNING: process id 13745 hidden or just exited (tb) 
Launch Path: /root/code/interrogator/demo/trojons/tb 
FOUND 2 Hidden process listings 

HIDDEN File found: /mp/hideme 

WARNING: File size is 2336990 (should be 2335392): /var/log /messages 

HIDDEN TCP Port Listener found: port 111 

HIDDEN TCP Port Listener found: port 139 

HIDDEN TCP Port Listener found: port 2222 

HIDDEN TCP Port Listener found: port 6000 

HIDDEN TCP Port Listener found: port 32768 

HIDDEN TCP Port Listener found: port 32769 

[rootOJocalhost in t err oga t or exit 
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[rootOI ocalhost interrogator^ ./Interrogator 

Where would you like the results stored? [/tmp /interrogator/) 

Check for hidden processes?! [Y] 

Check for hidden TCP port listeners? [Y] 

Check for system call patching? [Y] 

Check for hidden kernel modules? [Y] 

Check for hidden files? (may toke > 15 minutes) [N] Y 
Running the interrogator... this may take o minute 
Results are located at /tmp/in terra go tor /summary 
View results now? [Y] ' 

[ SUMMARY ] 

WARNING suspect module found: f8a10000 184700 bytes (homegrown) 
FOUND 1 HIDDEN module loaded 

WARNING: Deviations found in the sys_colt_table 
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Suspect module located (Oxf89db6d8 — Oxf8a3fOOO) 
FOUND 7 Modified syscoll table functions 

WARNING: process id 1584 hidden or just exited (tb) 
Launch Path: /root/code/in terrogator/demo/trojons/tb 
FOUND 1 Hidden process listing 

HIDDEN FHe found: /tmp/hldeme 

WARNING: File size is 1021523 (should be 1020648): /var/log/cron 
WARNING: File size is 603820 (should be 603384): /var/1 og/marllog 

HIDDEN TCP Port Listener found: port 2222 
[roo t€H ocalhost interrogator]^ exit 
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